saasshop/tests/Unit/BackUrlSanitizeForLinksTest.php

<?php

namespace Tests\Unit;

use App\Support\BackUrl;
use PHPUnit\Framework\TestCase;

class BackUrlSanitizeForLinksTest extends TestCase
{
    public function test_sanitize_for_links_should_accept_simple_relative_path(): void
    {
        $this->assertSame('/admin/platform-orders', BackUrl::sanitizeForLinks('/admin/platform-orders'));
    }

    public function test_sanitize_for_links_should_reject_absolute_urls(): void
    {
        $this->assertSame('', BackUrl::sanitizeForLinks('https://evil.com/a'));
        $this->assertSame('', BackUrl::sanitizeForLinks('http://evil.com/a'));
    }

    public function test_sanitize_for_links_should_reject_quotes_and_angle_brackets(): void
    {
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?keyword="a"'));
        $this->assertSame('', BackUrl::sanitizeForLinks("/admin/x?keyword='a'"));
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=<b>'));
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=>'));

        // 控制字符/CRLF 注入
        $this->assertSame('', BackUrl::sanitizeForLinks("/admin/x?x=1\nSet-Cookie:evil=1"));
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?x=1%0aSet-Cookie:evil=1'));
    }

    public function test_sanitize_for_links_should_reject_nested_back_param(): void
    {
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?back=/admin/y'));
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&back=/admin/y'));
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&b=2&back=/admin/y'));

        // 二次编码绕过：%26back%3D 在浏览器/中间层解码后会变回 &back=，因此也应拒绝
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1%26back%3D/admin/y'));
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1%2526back%253D/admin/y'));
    }

    public function test_sanitize_for_links_should_reject_paths_not_starting_with_slash(): void
    {
        $this->assertSame('', BackUrl::sanitizeForLinks('admin/platform-orders'));
        $this->assertSame('', BackUrl::sanitizeForLinks('../admin/platform-orders'));
        $this->assertSame('', BackUrl::sanitizeForLinks('javascript:alert(1)'));
    }
}